In the absence of optimal security, IT departments in the financial sector generally ban the mobile exchange of emails and attachments by employees. ING Luxembourg has found a way to make an exception to this rule.
Managers are often required to travel for their work and to maintain constant interaction with their email, attachments, contacts and calendar through their smartphones which have become a standard part of their basic IT equipment. However, while current technology can efficiently meet this need for mobility, its use by professionals in the finance sector still remains, for many, a daunting challenge with regard to data security.
ING Luxembourg could not just supply their staff with devices able to provide mobile access to the necessary information: the essential condition for the safe exchange of incoming and outgoing data was that it be ultra-secure. In other words, it had to meet the security criteria imposed by the national control body (the CSSF – Commission de Surveillance du Secteur Financier) as well as the internal security rules in effect at ING Luxembourg, which far exceed the recommendation of the international control authorities.
A foolproof chain for data containment
To start with, Telindus proposed a solution based on mature and proven Microsoft technology, capable of meeting the absolutely essential requirement that the mobile data be subject to a high level of security, especially when the user is traveling abroad.
“Together, in May 2008, we examined, identified and developed solutions for all potential access to this data. We visualized every potential situation imaginable, even a lost or stolen device. We defined the target level of security, but also its management and its remote control,” explained Didier Schneider, Manager, Information Technology Services at ING Luxembourg.
The smallest amount of data that enters or exits is placed under the all-seeing control of encrypted VPN tunnels that are connected to the financial institution’s principle secure server. The data exchanged between the terminal and the messaging server remains at the Luxembourg site and, thanks to this chain that is perfectly impervious to any intrusion, the IT department can keep track of all of the data, whatever the point of access.
Moreover, the applications installed on the smartphones are rigorously controlled and locked which, in the context of use for professional purposes, is more than sufficient for all ING’s mobility needs.
The extension of the workstation
Since June 2008, the managers of ING Luxembourg have had a solution in place that is both operational and secure. But what about ease of use? This was precisely the second requirement that was defined.
For end-users working in a Microsoft environment at the office, the choice of this system was a natural one, since it retains the same look & feel, the same navigation and the same type of access to Word and Excel documents in a mobile context. “The mobile emails are archived via Microsoft Exchange, which is part of the added value of the solution, while this convergence between desktop and mobile email is also geared towards ease of use with no disruption of our managers’ existing habits”.
Company Profile
ING is an originally Dutch financial institution that offers banking, insurance and investment services to over 85 million private, corporate and institutional clients in over 50 countries.
Business impact
• Higher productivity of the management team
• Encourages sharing knowledge with colleagues thanks to improved system response
• Encourages collaborative teamwork
• Solution remains open to technological advances
• Environment easily adaptable to meet changing needs (use of specially adapted applications on mobile terminals)
Bits & Bytes
• Secure connection for the user through a web portal with online requests for enrolment of the cellphone (Windows Mobile 6.1 required);
or connection for the administrator via his administration console
• SSL connection from the mobile to the enrolment server via a Wi-Fi or GSM network
• Encryption of the name of the enrolment server and the One Time PIN Code generated at the previous step (valid for 8 hours, one-off)
• Creation by the enrolment server of a machine account in the Active Directory and a request for a user certificate for the mobile phone
• Thereafter, connection to the Internet from the gateway, the name of which was provided at the time of enrolment
• Authentication via the user certificate and negotiation of a secure link via an encryption algorithm
• Access to the company network and recovery of data from the gateway, where it has been transferred through a secure channel after processing by the server MS System Center Mobile Device Manager 2008.
More info?
For more information on this solution, visit the Belgacom website or contact your Account Manager.
Most Comments